-
openssl (3.0.8-1ubuntu1.4) lunar-security; urgency=medium
[ Marc Deslauriers ]
* SECURITY UPDATE: AES-SIV implementation ignores empty associated data
entries
- debian/patches/CVE-2023-2975.patch: do not ignore empty associated
data with AES-SIV mode in
providers/implementations/ciphers/cipher_aes_siv.c.
- CVE-2023-2975
* SECURITY UPDATE: Incorrect cipher key and IV length processing
- debian/patches/CVE-2023-5363-1.patch: process key length and iv
length early if present in crypto/evp/evp_enc.c.
- debian/patches/CVE-2023-5363-2.patch: add unit test in
test/evp_extra_test.c.
- CVE-2023-5363
[ Ian Constantin ]
* SECURITY UPDATE: denial of service
- debian/patches/CVE-2023-3446.patch: adds check to prevent the testing of
an excessively large modulus in DH_check().
- CVE-2023-3446
* SECURITY UPDATE: denial of service
- debian/patches/CVE-2023-3817.patch: adds check to prevent the testing of
invalid q values in DH_check().
- CVE-2023-3817
-- Marc Deslauriers <email address hidden> Fri, 13 Oct 2023 08:02:49 -0400
-
openssl (3.0.8-1ubuntu1.2) lunar-security; urgency=medium
* SECURITY UPDATE: DoS in AES-XTS cipher decryption
- debian/patches/CVE-2023-1255.patch: avoid buffer overrread in
crypto/aes/asm/aesv8-armx.pl.
- CVE-2023-1255
* SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers
- debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT
IDENTIFIERs that OBJ_obj2txt will translate in
crypto/objects/obj_dat.c.
- CVE-2023-2650
* Replace CVE-2022-4304 fix with improved version
- debian/patches/revert-CVE-2022-4304.patch: remove previous fix.
- debian/patches/CVE-2022-4304.patch: use alternative fix in
crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c,
crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c.
-- Marc Deslauriers <email address hidden> Wed, 24 May 2023 13:04:49 -0400
-
openssl (3.0.8-1ubuntu1.1) lunar-security; urgency=medium
* SECURITY UPDATE: excessive resource use when verifying policy constraints
- debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created
in a policy tree (the default limit is set to 1000 nodes).
- debian/patches/CVE-2023-0464-2.patch: add test cases for the policy
resource overuse.
- debian/patches/CVE-2023-0464-3.patch: disable the policy tree
exponential growth test conditionally.
- CVE-2023-0464
* SECURITY UPDATE: invalid certificate policies ignored in leaf certificates
- debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY
is checked even in leaf certs.
- debian/patches/CVE-2023-0465-2.patch: generate some certificates with
the certificatePolicies extension.
- debian/patches/CVE-2023-0465-3.patch: add a certificate policies test.
- CVE-2023-0466
* SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy
not enabled as documented
- debian/patches/CVE-2023-0466.patch: fix documentation of
X509_VERIFY_PARAM_add0_policy().
- CVE-2023-0466
-- Camila Camargo de Matos <email address hidden> Mon, 24 Apr 2023 07:52:33 -0300
-
openssl (3.0.8-1ubuntu1) lunar; urgency=medium
* Merge 3.0.8 from Debian testing (LP: #2006954)
- Remaining changes:
+ Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
openssl
+ d/libssl3.postinst: Revert Debian deletion
- Skip services restart & reboot notification if needrestart is in-use.
- Bump version check to 1.1.1 (bug opened as LP: #1999139)
- Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Import libraries/restart-without-asking template as used by above.
+ Add support for building with noudeb build profile.
+ Use perl:native in the autopkgtest for installability on i386.
-- Adrien Nader <email address hidden> Mon, 20 Feb 2023 16:10:19 +0100
-
openssl (3.0.7-1ubuntu1) lunar; urgency=medium
* Merge 3.0.7 from Debian unstable (LP: #1998942)
- Drop patches merged upstream:
+ CVE-2022-3358.patch
+ CVE-2022-3602-1.patch
+ CVE-2022-3602-2.patch
- Shrink patch since upstream fixed some tests in the patch above:
+ tests-use-seclevel-1.patch
- Drop patch since -DOPENSSL_TLS_SECURITY_LEVEL=2 is now hard-coded:
+ Set-systemwide-default-settings-for-libssl-users.patch
- Drop Debian patch not needed anymore:
+ TEST-Provide-a-default-openssl.cnf-for-tests.patch
- Mention Debian as defaulting to SECLEVEL=2 in addition to Ubuntu:
+ tls1.2-min-seclevel2.patch
- Remaining changes:
+ Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
openssl
+ d/libssl3.postinst: Revert Debian deletion
- Skip services restart & reboot notification if needrestart is in-use.
- Bump version check to 1.1.1 (bug opened as LP: #1999139)
- Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Import libraries/restart-without-asking template as used by above.
+ Add support for building with noudeb build profile.
+ Use perl:native in the autopkgtest for installability on i386.
* Correct comment as to which TLS version is disabled with our seclevel:
- skip_tls1.1_seclevel3_tests.patch
[Sebastian Andrzej Siewior]
* CVE-2022-3996 (X.509 Policy Constraints Double Locking).
openssl (3.0.7-1) unstable; urgency=medium
* Import 3.0.7
- Using a Custom Cipher with NID_undef may lead to NULL encryption
(CVE-2022-3358) (Closes: #1021620).
- X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602).
- X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786).
* Disable rdrand engine (the opcode on x86).
* Remove config bits for MIPS R6, the generic MIPS config can be used.
openssl (3.0.5-4) unstable; urgency=medium
* Add ssl_conf() serialisation (Closes: #1020308).
openssl (3.0.5-3) unstable; urgency=medium
* Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt
(Closes: #805646).
* Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727).
-- Adrien Nader <email address hidden> Tue, 06 Dec 2022 15:11:40 +0100
-
openssl (3.0.5-2ubuntu2) kinetic-security; urgency=medium
* SECURITY UPDATE: X.509 Email Address Buffer Overflow
- debian/patches/CVE-2022-3602-1.patch: fix off by one in punycode
decoder in crypto/punycode.c, test/build.info, test/punycode_test.c,
test/recipes/04-test_punycode.t.
- debian/patches/CVE-2022-3602-2.patch: ensure the result is zero
terminated in crypto/punycode.c.
- CVE-2022-3602
* SECURITY UPDATE: legacy custom cipher issue
- debian/patches/CVE-2022-3358.patch: fix usage of custom EVP_CIPHER
objects in crypto/evp/digest.c, crypto/evp/evp_enc.c.
- CVE-2022-3358
-- Marc Deslauriers <email address hidden> Thu, 27 Oct 2022 13:05:01 -0400
-
openssl (3.0.5-2ubuntu1) kinetic; urgency=low
* Merge from Debian unstable (LP: #1987047). Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- d/libssl3.postinst: Revert Debian deletion
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Import libraries/restart-without-asking template as used by above.
- Add support for building with noudeb build profile.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Use perl:native in the autopkgtest for installability on i386.
- d/p/skip_tls1.1_seclevel3_tests.patch: new Ubuntu-specific patch for the
testsuite
- d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it
on Ubuntu to make it easier for user to change security level
* Dropped changes, merged upstream:
- d/p/fix-avx512-overflow.patch: Cherry-picked from upstream to fix a 3.0.4
regression on AVX-512 capable CPUs.
* Revert the provider removal from the default configuration, following
discussions on LP: #1979639
openssl (3.0.5-2) unstable; urgency=medium
* Update to commit ce3951fc30c7b ("VC++ 2008 or earlier x86 compilers…")
(Closes: #1016290).
openssl (3.0.5-1) unstable; urgency=medium
* Import 3.0.5
- Possible module_list_lock crash (Closes: #1013309).
- CVE-2022-2097 (AES OCB fails to encrypt some bytes).
* Update to 55461bf22a57a ("Don't try to make configuration leaner")
* Use -latomic on arc,nios2 and sparc (Closes: #1015792).
openssl (3.0.4-2) unstable; urgency=medium
* Address a AVX2 related memory corruption (Closes: #1013441)
(CVE-2022-2274).
-- Simon Chopin <email address hidden> Fri, 19 Aug 2022 10:05:04 +0200
